DMA and GDPR: Balancing Data Sharing and Privacy
Some time ago European Law blog published an article: Search queries and anonymisation: How to read Article 6(11) of the DMA and the GDPR together? It discusses intersection requirements of Article 6(11) of Digital Markets Act (DMA) on sharing data with requirements General Data Protection Regulation (GDPR) to safeguard personal data.
The DMA, a regulation enacted by the European Union on November 1, 2022, aims to regulate large digital platforms, known as “gatekeepers,” such as Alphabet, Amazon, and Meta. The European Commission designated these companies on September 6, 2023, giving them six months to comply with the DMA. By March 6, 2024, these gatekeepers were expected to have made necessary adjustments to meet the DMA’s requirements. Article 6(11) of the DMA mandates that gatekeepers provide access to ranking, query, click, and view data to third-party search engines under fair, reasonable, and non-discriminatory terms while anonymizing any personal data.
The intersection of the DMA and the GDPR is a focal point, particularly concerning the anonymization of personal data. The DMA’s anonymization requirements aim to facilitate data sharing without compromising user privacy. However, achieving true anonymization is complex and context-dependent. Techniques such as global differential privacy, local differential privacy, and k-anonymization are discussed, each with varying degrees of effectiveness and utility. The DMA suggests that anonymization must protect user data without significantly degrading its usefulness for third-party search engines, a challenging balance to strike.
Several questions arise from Article 6(11), including the appropriate anonymization techniques, the implementation of context controls, and the practicalities of data access and pricing. The DMA could signal a shift in the EU’s approach to anonymization, emphasizing the need for consistent standards and the legitimacy of processing purposes. As anonymization remains governed by data protection law, it is crucial that data subjects are informed and have the right to object. The DMA, along with other EU legislative proposals, underscores the importance of balancing data utility and confidentiality.
KEY TAKEAWAYS
- Achieving true anonymization is complex and context-dependent.
- Techniques like global differential privacy, local differential privacy, and k-anonymization are discussed.
- The DMA’s approach to anonymization could shift EU standards.
- The DMA emphasizes balancing data utility and confidentiality.
- Practical questions about data access, pricing, and context controls remain.
- The DMA complements the GDPR but raises questions about their interplay.
- The EU continues to develop a consistent approach to anonymization.